Concepts

Permission Layer

Declarative, version-controlled rules that define exactly what your agent is allowed to do — and enforce it at runtime.

Principle of Least Privilege for AI Agents

Agents should have the minimum permissions needed to accomplish their task — nothing more. This is the principle of least privilege applied to AI systems.

The analogy to IAM roles is direct: you wouldn't give a Lambda function admin permissions to process a payment. You wouldn't give your customer support agent shell access to process a refund. The Permission Layer is the mechanism that enforces this boundary.

Over-permissioned agents don't just create security risk — they create liability. If your agent can write to the production database, send emails, and execute shell commands, then any prompt injection attack has the blast radius of all three.

Permission Types

  • Tool permissions — which tools the agent may call
  • Data permissions — which data stores it may read from or write to
  • Network permissions — which external endpoints it may reach
  • Compute permissions — maximum tokens, tool calls, and runtime per execution

Defining Permissions

python
from agentcop import PermissionLayer

permissions = PermissionLayer(
    agent_id="invoice-processor",

    tools=["read_invoice", "write_invoice_status", "send_confirmation_email"],

    data={
        "read": ["invoices/*", "customers/*/email"],
        "write": ["invoices/*/status"],
        "deny": ["customers/*/payment_method", "users/*"]
    },

    network={
        "allow": ["api.company.com", "mail.company.com"],
        "deny": ["*"]  # Block all other outbound
    },

    compute={
        "max_tokens_per_run": 10000,
        "max_tool_calls_per_run": 20,
        "max_runtime_seconds": 30
    }
)

OWASP LLM08 — Excessive Agency

The Permission Layer is the direct implementation of OWASP LLM08 compliance. LLM08 identifies excessive agency — agents with more permissions than their task requires — as a top-10 vulnerability class for LLM-based systems.

The risk is straightforward: an agent with write access to your database and the ability to send emails can, if manipulated, exfiltrate data or conduct phishing attacks at scale. Constraining permissions through a declarative layer removes that capability entirely, regardless of what the agent is convinced to do.

LLM08

Permission Inheritance

Define a base set of denied operations that applies to all agents in your system, then extend per-agent with specific allowances.

python
# Base permissions for all agents
base = PermissionLayer.base(
    deny=["shell_execute", "delete_*", "sudo_*"]
)

# Agent-specific extends base
invoice_agent = base.extend(
    allow=["read_invoice", "write_invoice_status"]
)
← Execution Gate Sandbox →